cyclid 0.2.0

data/app/cyclid/sinatra/auth_helpers.rb

@@ -0,0 +1,127 @@
+# frozen_string_literal: true
+# Copyright 2016 Liqwyd Ltd.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# Top level module for the core Cyclid code.
+module Cyclid
+  # Module for the Cyclid API
+  module API
+    # Some constants to identify types of API operation
+    module Operations
+      # Read operations
+      READ = 1
+      # Write (Create, Update, Delete) operations
+      WRITE = 2
+      # Administrator operations
+      ADMIN = 3
+    end
+
+    # Sinatra Warden AuthN/AuthZ helpers
+    module AuthHelpers
+      # Return an HTTP error with a RESTful JSON response
+      # XXX Should probably be in ApiHelpers?
+      def halt_with_json_response(error, id, description)
+        halt error, json_response(id, description)
+      end
+
+      # Call the Warden authenticate! method
+      def authenticate!
+        env['warden'].authenticate!
+      end
+
+      # Authenticate the user, then ensure that the user is authorized for
+      # the given organization and operation
+      def authorized_for!(org_name, operation)
+        authenticate!
+
+        user = current_user
+
+        # Promote the organization to 'admins' if the user is a SuperAdmin
+        org_name = 'admins' if super_admin?(user)
+
+        begin
+          organization = user.organizations.find_by(name: org_name)
+          halt_with_json_response(401, Errors::HTTPErrors::AUTH_FAILURE, 'unauthorized') \
+            if organization.nil?
+          Cyclid.logger.debug "authorized_for! organization: #{organization.name}"
+
+          # Check what Permissions are applied to the user for this Org & match
+          # against operation
+          permissions = user.userpermissions.find_by(organization: organization)
+          Cyclid.logger.debug "authorized_for! #{permissions.inspect}"
+
+          # Admins have full authority, regardless of the operation
+          return true if permissions.admin
+          return true if operation == Operations::WRITE && permissions.write
+          return true if operation == Operations::READ && (permissions.write || permissions.read)
+
+          Cyclid.logger.info "user #{user.username} is not authorized for operation #{operation}"
+
+          halt_with_json_response(401, Errors::HTTPErrors::AUTH_FAILURE, 'unauthorized')
+        rescue StandardError => ex # XXX: Use a more specific rescue
+          Cyclid.logger.info "authorization failed: #{ex}"
+          halt_with_json_response(401, Errors::HTTPErrors::AUTH_FAILURE, 'unauthorized')
+        end
+      end
+
+      # Authenticate the user, then ensure that the user is an admin and
+      # authorized for the resource for the given username & operation
+      def authorized_admin!(operation)
+        authorized_for!('admins', operation)
+      end
+
+      # Authenticate the user, then ensure that the user is authorized for the
+      # resource for the given username & operation
+      def authorized_as!(username, operation)
+        authenticate!
+
+        user = current_user
+
+        # Users are always authorized for any operation on their own data
+        return true if user.username == username
+
+        # Super Admins may be authorized, depending on the operation
+        if super_admin?(user)
+          begin
+            organization = user.organizations.find_by(name: 'admins')
+            permissions = user.userpermissions.find_by(organization: organization)
+            Cyclid.logger.debug permissions
+
+            # Admins have full authority, regardless of the operation
+            return true if permissions.admin
+            return true if operation == Operations::WRITE && permissions.write
+            return true if operation == Operations::READ && (permissions.write || permissions.read)
+          rescue StandardError => ex # XXX: Use a more specific rescue
+            Cyclid.logger.info "authorization failed: #{ex}"
+            halt_with_json_response(401, Errors::HTTPErrors::AUTH_FAILURE, 'unauthorized')
+          end
+
+        end
+
+        halt_with_json_response(401, Errors::HTTPErrors::AUTH_FAILURE, 'unauthorized')
+      end
+
+      # Check if the given user is a Super Admin; any user that belongs to the
+      # 'admins' organization is a super admin
+      def super_admin?(user)
+        user.organizations.exists?(name: 'admins')
+      end
+
+      # Current User object from the session
+      def current_user
+        env['warden'].user
+      end
+    end
+  end
+end

data/app/cyclid/sinatra/warden/strategies/api_token.rb

@@ -0,0 +1,62 @@
+# frozen_string_literal: true
+# Copyright 2016 Liqwyd Ltd.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+require 'warden'
+require 'jwt'
+
+# Top level module for the core Cyclid code.
+module Cyclid
+  # Module for the Cyclid API
+  module API
+    # Warden Strategies
+    module Strategies
+      # API Token based strategy
+      module APIToken
+        # Authenticate via. an API token
+        Warden::Strategies.add(:api_token) do
+          def valid?
+            request.env['HTTP_AUTHORIZATION'].is_a? String and \
+              request.env['HTTP_AUTHORIZATION'] =~ /^Token .*$/
+          end
+
+          def authenticate!
+            begin
+              authorization = request.env['HTTP_AUTHORIZATION']
+              username, token = authorization.match(/^Token (.*):(.*)$/).captures
+            rescue
+              fail! 'invalid API token'
+            end
+
+            user = User.find_by(username: username)
+            fail! 'invalid user' if user.nil?
+
+            begin
+              # Decode the token
+              token_data = JWT.decode token, user.secret, true, algorithm: 'HS256'
+              claims = token_data.first
+              if claims['sub'] == user.username
+                success! user
+              else
+                fail! 'invalid user'
+              end
+            rescue
+              fail! 'invalid API token'
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/app/cyclid/sinatra/warden/strategies/basic.rb

@@ -0,0 +1,58 @@
+# frozen_string_literal: true
+# Copyright 2016 Liqwyd Ltd.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+require 'warden'
+require 'bcrypt'
+
+# Top level module for the core Cyclid code.
+module Cyclid
+  # Module for the Cyclid API
+  module API
+    # Warden Strategies
+    module Strategies
+      # HTTTP Basic authentication based strategy
+      module Basic
+        # Authenticate via. HTTP Basic auth.
+        Warden::Strategies.add(:basic) do
+          def valid?
+            request.env['HTTP_AUTHORIZATION'].is_a? String and \
+              request.env['HTTP_AUTHORIZATION'] =~ /^Basic .*$/
+          end
+
+          def authenticate!
+            begin
+              authorization = request.env['HTTP_AUTHORIZATION']
+              digest = authorization.match(/^Basic (.*)$/).captures.first
+
+              user_pass = Base64.decode64(digest)
+              username, password = user_pass.split(':')
+            rescue
+              fail! 'invalid digest'
+            end
+
+            user = User.find_by(username: username)
+            if user.nil?
+              fail! 'invalid user'
+            elsif BCrypt::Password.new(user.password).is_password? password
+              success! user
+            else
+              fail! 'invalid user'
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/app/cyclid/sinatra/warden/strategies/hmac.rb

@@ -0,0 +1,76 @@
+# frozen_string_literal: true
+# Copyright 2016 Liqwyd Ltd.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+require 'warden'
+
+# Top level module for the core Cyclid code.
+module Cyclid
+  # Module for the Cyclid API
+  module API
+    # Warden Strategies
+    module Strategies
+      # HMAC based strategy
+      module HMAC
+        # Authenticate via. HMAC
+        Warden::Strategies.add(:hmac) do
+          def valid?
+            request.env['HTTP_AUTHORIZATION'].is_a? String and \
+              request.env['HTTP_AUTHORIZATION'] =~ /^HMAC .*$/
+          end
+
+          def authenticate!
+            begin
+              authorization = request.env['HTTP_AUTHORIZATION']
+              username, hmac = authorization.match(/^HMAC (.*):(.*)$/).captures
+
+              # The nonce may be empty; that isn't an error and the signature
+              # will validate with a Nil nonce
+              nonce = request.env['HTTP_X_HMAC_NONCE']
+            rescue
+              fail! 'invalid HMAC'
+            end
+
+            user = User.find_by(username: username)
+            fail! 'invalid user' if user.nil?
+
+            begin
+              method = request.env['REQUEST_METHOD']
+              path = request.env['PATH_INFO']
+              date = request.env['HTTP_DATE']
+
+              Cyclid.logger.debug "user=#{user.username} method=#{method} path=#{path} \
+                date=#{date} HMAC=#{hmac} nonce=#{nonce}"
+
+              signer = Cyclid::HMAC::Signer.new
+              if signer.validate_signature(hmac,
+                                           secret: user.secret,
+                                           method: method,
+                                           path: path,
+                                           date: date,
+                                           nonce: nonce)
+                success! user
+              else
+                fail! 'invalid user'
+              end
+            rescue StandardError => ex
+              Cyclid.logger.debug "failure during HMAC authentication: #{ex}"
+              fail! 'invalid headers'
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/app/db.rb

@@ -0,0 +1,51 @@
+# frozen_string_literal: true
+# Copyright 2016 Liqwyd Ltd.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+require 'active_record'
+require 'logger'
+
+begin
+  case ENV['RACK_ENV']
+  when 'development'
+    database = if defined? Cyclid
+                 Cyclid.config.database
+               else
+                 'sqlite3:development.db'
+               end
+
+    ActiveRecord::Base.establish_connection(
+      database
+    )
+
+    ActiveRecord::Base.logger = if defined? Cyclid
+                                  Cyclid.logger
+                                else
+                                  Logger.new(STDERR)
+                                end
+  when 'production'
+    ActiveRecord::Base.establish_connection(
+      Cyclid.config.database
+    )
+
+    ActiveRecord::Base.logger = Cyclid.logger
+
+    Cyclid.logger.level = Logger::INFO
+  when 'test'
+    Cyclid.logger.info 'In test mode; not creating database connection'
+  end
+
+rescue StandardError => ex
+  abort "Failed to initialize ActiveRecord: #{ex}"
+end

data/bin/cyclid-db-init

@@ -0,0 +1,107 @@
+#!/usr/bin/env ruby
+# frozen_string_literal: true
+# Copyright 2016 Liqwyd Ltd.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+$LOAD_PATH.push File.expand_path('../../app', __FILE__)
+
+require 'require_all'
+require 'logger'
+require 'active_record'
+require 'securerandom'
+
+ENV['RACK_ENV'] = ENV['RACK_ENV'] || 'development'
+
+require 'cyclid/config'
+
+# Top level module for the core Cyclid code; just stub out to provide the
+# bare minimum required to inject data via. the models.
+module Cyclid
+  class << self
+    attr_accessor :logger, :config
+
+    begin
+      Cyclid.logger = Logger.new(STDERR)
+
+      config_path = ENV['CYCLID_CONFIG'] || File.join(%w(/ etc cyclid config))
+      Cyclid.config = API::Config.new(config_path)
+    rescue StandardError => ex
+      abort "Failed to initialize: #{ex}"
+    end
+  end
+end
+
+require 'db'
+require 'cyclid/models'
+
+require_relative '../db/schema.rb'
+
+include Cyclid::API
+
+ADMINS_ORG = 'admins'
+RSA_KEY_LENGTH = 2048
+
+def generate_password
+  (('a'..'z').to_a.concat \
+    ('A'..'Z').to_a.concat \
+      ('0'..'9').to_a.concat \
+        %w($ % ^ & * _)).sample(8).join
+end
+
+def create_admin_user
+  secret = SecureRandom.hex(32)
+  password = generate_password
+  user = User.new
+  user.username = 'admin'
+  user.email = 'admin@example.com'
+  user.secret = secret
+  user.new_password = password
+  user.save!
+
+  [secret, password]
+end
+
+def create_admin_organization
+  key = OpenSSL::PKey::RSA.new(RSA_KEY_LENGTH)
+
+  org = Organization.new
+  org.name = ADMINS_ORG
+  org.owner_email = 'admins@example.com'
+  org.rsa_private_key = key.to_der
+  org.rsa_public_key = key.public_key.to_der
+  org.salt = SecureRandom.hex(32)
+  org.users << User.find_by(username: 'admin')
+end
+
+def update_user_perms
+  # 'admin' user is a Super Admin
+  user = User.find_by(username: 'admin')
+  organization = user.organizations.find_by(name: ADMINS_ORG)
+  permissions = user.userpermissions.find_by(organization: organization)
+  Cyclid.logger.debug permissions
+
+  permissions.admin = true
+  permissions.write = true
+  permissions.read = true
+  permissions.save!
+end
+
+secret, password = create_admin_user
+create_admin_organization
+
+update_user_perms
+
+STDERR.puts '*' * 80
+STDERR.puts "Admin secret: #{secret}"
+STDERR.puts "Admin password: #{password}"